Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2492
Views
0
Helpful
4
Replies

DKIM Failure Notification to Sender

Go to solution
phogs
Level 1
Level 1

‎11-18-2019 06:05 PM

Hi,

Is it good and secure to tune our DKIM email security policy in notifying the sender when they're failing to DKIM verification instead of dropping the message? So the sender can fix also their DKIM set up on their end.

 

What's the best practice for this?

 

Thank you in advance.

-Daniel Plazo

Labels:
Preview file
11 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎11-19-2019 07:51 AM

The key problem with notifying sender is that they very often have no clue what DKIM is or means. Also a lot external applications sending in behalf of a domain fall into this category.

 

A while back we had asked for a feature request to be bale to inform the postmaster of the sending domain instead but this has not yet been implemented.

 

base don experiences we track DKIm failures by copying the email into a DKIM quarantine so we can analyse further but notifiying is/was not a good idea.

 

 

I hope that helps.

 

-Marc

View solution in original post

0 Helpful
4 Replies 4

Go to solution
robegum
Cisco Employee
Cisco Employee

‎11-19-2019 05:28 AM

Hi Daniel,

You can certainly send the notification to the sender if they are failing the DKIM as you have specified in the content filter. However, this isn't a recommended way because there may be a lot of spoofed emails and you end up sending lots of notifications to the non-intended sender(like bounce attack).

There can be two best ways:
1. Have sender a DMARC record in a way that they automatically get notified in DMARC/SPF/DMARC policy evaluation. etc fails (to RUF address).

2. If it's a specific sender, you may use the message filter, such as if Sendergroup == Name (add all the IPs to a sendergroup) and if DKIM result = fail, notify the user. That way you're only notifying to the intended sender.

Regards,
Roquiya

0 Helpful

Go to solution
phogs
Level 1
Level 1
In response to robegum

‎11-19-2019 04:34 PM

Hello Roquiya,

Even Ironport has a multiple layers of defense? Is this enough to consider the email notification?

 

Thank You.

-Daniel

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to phogs

‎11-19-2019 04:41 PM

The problem with DMARC is that unless the sender is setup to leverage DMARC result data they will never find out that there is an issue with either SPF or DKIM.

 

While the deployment rate is increasing most companies use DMARC to reject untrusted sending IP's automatically. There are only very few companies which leverage DMARC or even ARC result codes for data mining.

 

I hope those 2 cents add to Cisco's anwer.

 

-Marc

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎11-19-2019 07:51 AM

The key problem with notifying sender is that they very often have no clue what DKIM is or means. Also a lot external applications sending in behalf of a domain fall into this category.

 

A while back we had asked for a feature request to be bale to inform the postmaster of the sending domain instead but this has not yet been implemented.

 

base don experiences we track DKIm failures by copying the email into a DKIM quarantine so we can analyse further but notifiying is/was not a good idea.

 

 

I hope that helps.

 

-Marc

0 Helpful
Customers Also Viewed These Support Documents